May 25, 2023 • 10 min read • By Marty Swant
With Europe’s GDPR in effect five years this week and Apple’s ATT in action two years as of last month, one of the advertising world’s next expected major catalysts is Google’s plans for its long-awaited Privacy Sandbox. Last week, the company finally shed new light on its plans with more details and a lengthy timeline. (It will deprecate third-party cookies for 1% of Chrome users globally in the first quarter of 2024).
Before the latest announcement, Digiday spoke with Google Senior Director of Product Management Victor Wong to learn more about the plans for the next 18 months, the company’s approach to the major overhaul and how it’s addressing everything from industry skepticism to regulatory scrutiny.
Prior to joining the company last September to lead the Privacy Sandbox product team, Wong spent several years at Meta working on data privacy across monetization products. In an open letter last month published on Google’s blog, Wong outlined four “core tenets” guiding the company’s plans, including universal privacy and access to information, viable alternatives for ads without third-party cookies, technical privacy protections, and solutions that are built “in the open” and in collaboration with the overall industry.
“If you just killed third-party cookies today, but there’s no solution for publishers and consumers for ad-supported media, you actually end up in some cases with worse privacy,” Wong told Digiday. “Because folks move to more intrusive tracking where users have less understanding and less control.”
This annotated conversation, which includes some perspective and context alongside Wong’s answers, has been edited and condensed for length and clarity.
On testing in 2023 and 2024
“There are many different testing methodologies out there based on different testing goals, [and] many different types of ad tech goals. And so we expect folks to use these different phases however they want, really. There’s no one test, so to speak, to rule them all. Everyone kind of has unique needs, and so we’re providing these different phasings and expect folks to have different metrics they might use to evaluate the effect of this, and different modes of testing based on their specific needs as well. So it kind of speaks to really the diversity of the ad-tech ecosystem and the needs to meet those.”
Since Sandbox was first announced in 2020 — and delayed twice since then — the ad-tech industry has waited, waxed, worried and wondered when Google might provide clarity for a timeline and other actual steps for an official rollout. Google revealed a more concrete roadmap for deprecating third-party cookies, starting this July with Chrome 115 and spanning through the end of 2024.
How Google’s taking Sandbox feedback while changing Chrome
“Now that we actually have gotten extensive feedback and have made a lot of improvements to APIs based on the feedback, we feel very confident that these will be the APIs to help the industry to transition off third-party cookies in this time period. We’re very certain about the designs at this point. And that’s basically why we’ve taken this deliberate approach of a [small percentage of] testing, etc., to now get to a place where we’re going to ramp to 100%. Now, that’s introducing a technology. Removing a technology is far less common so we want to be very deliberate and methodical in how we’re doing it.”
Over the past year, tests for the new APIs have been what Wong described as “original trials” that entail releasing them for a small percentage of traffic at random before gathering feedback and continuing based on it. Some marketers are glad Google is finally opening testing more broadly so ad-tech partners, publishers and advertisers can begin testing themselves. Other critics have noted that earlier tests have still used third-party cookies to some extent within the Privacy Sandbox, therefore tainting the results — or at least reducing trust in them.
How Sandbox intersects with regulatory oversight and other ad-tech overhauls like IAB Europe’s TCF
“I think [real-time bidding] is under tremendous scrutiny and pressure the way it’s currently designed. And that’s because RTB evolved over the decades, or at least certainly 10-plus years. This kind of preceded a lot of the common and growing expectations around privacy, and how data should be handled. So when I think about Privacy Sandbox, it’s not designed with any specific regulatory challenges in mind. But writ large, the expectations are to move to a private-by-design solution. Today, RTB basically [includes] lots of folks [that] crept up that users don’t always know necessarily. TCF tries to solve that in its own way.”
Since it debuted in 2018, IAB Europe’s Transparency and Consent Framework (TCF) has sought to help Europe’s ad-tech ecosystem comply with privacy laws such as GDPR that govern real-time bidding and other ways user data are collected, shared and used across various companies. Instead, the plan has faced legal scrutiny and industry doubts that have led to a multi-year evolution of the framework. Some see TCF as a main alternative to Google, but privacy advocates have said it doesn’t properly safeguard European user data. (In 2020, Google announced it would integrate with TCF 2.0.) Earlier this year, the Belgian Data Protection Authority approved IAB Europe’s six-month overhaul of the framework, which launched as TCF 2.2 in mid-May.
On criticism that Google could favor itself again like it’s been accused of with past programs like AMP, etc.
“A different team, but I can speak to how our teams approach this, which really gets to that fourth principle I outlined where basically this has to be built in the open and in collaboration with the industry. Over the last few years, we’ve put out public proposals, solicited feedback and changed API designs based on that feedback…We have deliberately engaged the ecosystem proactively and with [plenty of] advance warning on changes coming. In contrast, other platforms that are more closed and that don’t necessarily share the same principles, we have taken a very different approach…You need to do what’s appropriate for the specific problem.”
In 2015, Google rolled out its Accelerated Mobile Pages (AMP) program as a new standard for designing pages that loaded faster while providing publishers with more ad formats that also loaded faster. However, in the years since then, AMP has faced a range of criticisms including a 2017 revelation that Russian hackers were exploiting AMP to send phishing emails. Last year, legal documents in a lawsuit against Google filed by state attorneys general claimed Google slowed load times for non-AMP ads and prioritized AMP links in search results.
On criticism that Topics API isn’t as private for users as Google makes it seem
“Topics have been an area where folks have differences of opinion on what the design should be, as we expect. Basically, with Privacy Sandbox, we think that it’s important to have a middle-ground approach where some folks are going to say, ‘Just get rid of cookies and don’t build any replacements.’ Other folks are gonna say, ‘Keep the existing system in place and don’t change anything.’ We exist in the middle here and that’s where Topics is as well.”
By introducing Topics, the goal is to move away from the old taxonomy of data-driven categories based on massive amounts of user data and instead provide advertisers with ways of reaching users based on topics of interest. By encouraging first-party data use as part of its Topics API, Wong said Google is letting publishers attract more advertisers based on topical interest.
On transparency and collaboration in light of the ongoing DOJ’s antitrust case
“The APIs are designed to work the same for everyone. We put out the public proposals, we show exactly how it’s gonna work. So the APIs will work the same for Google as they will work for any other player. We also have strong commitments made to regulators around exactly how we go about designing this and treating Google just the same as everyone, basically. And I think just in terms of broader transparency around the efforts, folks are able to self-identify themselves as testers on GitHub, among other places. Generally, we encourage folks to develop and test out in the open. Folks will publish test results and we’re very happy to see that feedback come from various corners.”
Alphabet faces a major antitrust case from the U.S. Dept. of Justice, which is scheduled to go to trial in September. Much of the case hinges on claims that Google has spent years conducting anticompetitive behavior that the DOJ says has led to a monopoly. The case involves Google’s ad exchange and publisher ad server and various acquisitions the giant has made over the years as part of its strategy to stamp out competition. Now, if Google wants to get industry buy-in for Sandbox, it will need to convince ad-tech partners and publishers that they won’t be put at a new disadvantage with future privacy changes. Wong also pointed out several times that Sandbox is being developed in consultation with UK Competition and Markets Authority (CMA), which Google is legally required to do because of competition concerns.